Information Security - Incident Handling Procedures

Make sure the system is disconnected from the network. This is to protect UAB from any additional impact from the incident.

Determine the affected data.

Confirm whether or not sensitive data was housed on the compromised device. This includes employee, student, patient, or research data. Determine if any sensitive data was inappropriately accessed. If so, immediately escalate to both your local management and the UAB Data Security (https://silo.dso.uab.edu/incident or call 205-975-0842).

If sensitive data is at risk, do not perform additional activity until you have spoken with Data Security.

Perform Root Cause Analysis

Establish the reason that the system was exploited. Ask yourself these questions:

Did an end user install something harmful?

Was it caused by a weak password?

Was the system missing a patch?

Remediate the issue

The best way to restore a compromised machine is frofm a trusted backup or to do a clean installation. Even what used to be routine virus infections have become so advanced that we cannot trust a system once it's been infected.

Perform password changes for end users and any administrators that may have used the system as well. This includes BlazerIDs and other accounts such as websites that were accessed from the compromised machines. Local Administrator passwords should also be changed.

Reconnect to the network

Once the system has been properly remediated, UAB Data Security, in conjunction with the HIPAA Security Office, will reconnect the machine to the network. This process can take up to 24 hours after the initial request.

If you receive a notice saying the machine was compromised, the best way to get reconnected is to reply to that email.